Pagoda Blog

Home Depot Hack Turns Into Criminal Negligence Scandal

September 30, 2014

CyberheistNews Vol 4, 39

http://blog.knowbe4.com/

Wait for the class-action lawsuits to get unleashed. The lawyers are going to be all over this one like white on rice. Ex-employees from the Home Depot IT technology group are now claiming that management of the retailer had been warned for years that their Point Of Sale systems were open to attack and did not act on these warnings. Several members of the Home Depot IT security team quit their jobs in protest.

It gets worse. In 2012, Home Depot management hired Ricky Joe Mitchell as their Senior IT security architect, apparently without doing their due diligence and background check. Turns out that Mitchell was fired from a company called EnerVest Operating where he sabotaged that company’s network for 30 days in an act of revenge.

It gets even worse. Mitchell was kept on the job at Home Depot even after his indictment a year later and remained in charge of Home Depot security until he finally pled guilty to federal charges Jan 2014.

Wait, we're not done yet. Things are worse than that. The same ex-employees claim that Home Depot relied on antivirus that was not being updated with new antivirus definitions, a version of Symantec AV purchased in 2007.

And here is the next epic fail. As we all know, to be PCI compliant, you need quarterly security scans, done by authorized third parties. However, vulnerability scans were only done irregularly, and most of the time only on a relatively small number of stores. A few IT security ex-employees said that their team was blocked from doing security audits on machines that handled customer data.

And finally, to add insult to injury, in a total disregard for best practices, the Home Depot didn’t run any kind of behavioral network monitoring, which means they were not able to detect any breaches and for instance see unusual files being exfiltrated from the network.

Now their PR team tried to paper over all this criminal negligence and claims that the company maintains "robust security systems", and that the malware was custom made and hard to detect. Yeah, right. I see another CEO being fired in the near future...

Looking at this type of negligent behavior, Home Depot must not have done a lot of security awareness training for their employees either. It is not sure yet how the hackers got in, but a website that was not sufficiently protected and allowed a SQL injection and a spear-phishing attack are the most likely attack vectors.

Don't let this happen to you and as part of your defense-in-depth, step your users through effective Kevin Mitnick security awareness training. Find out how affordable this is for your organization. Click on the link to get a quote:http://www.knowbe4.com/get-a-quote-kmsat/